With the recent enforcement of J-SOX (Financial Instruments and Exchange Law), not only the demand for an internal control and compliance but also the demand for the strict performance and the strengthening of a control over IDs and access rights has been increasing.
Conventionally, products such as Sun Java Identity Manager, etc., having the function to integrally manage ID information managed by each system within an enterprise, and systems such as Oracle Role Manager, etc. for integrally managing roles managed by a system within an enterprise are provided in this field. The function to check a security policy (duty segregation) is embedded in such products or systems in order to reinforce control.
As to the function, checks are made by using the following matrix.
TABLE 1ROLE AROLE BROLE CROLE DROLE AROLE BXROLE C◯XROLE D◯X◯
Each circle within the table indicates that a user can simultaneously use (belong to) two roles indicated by a row and a column in terms of security policy. Each cross indicates that a user is prohibited from simultaneously using two roles indicated by a row and a column in terms of security policy.
For example, a user cannot simultaneously use the roles A and B. However, the user can simultaneously use the roles A and C. Based on such definitions, a system that integrally manages IDs and roles makes checks by using user-role assignment information indicating to which role a person managed by the system itself belongs.
As for the above described technique, Japanese Laid-open Patent Publication No. 2007-041881 discloses an information processing device for verifying that the settings of a forcible access control based on an RBAC (Role Based Access Control) model and a TE (Type Enforcement) model are suitable. Additionally, Japanese Laid-open Patent Publication No. 2007-072581 discloses a policy set generating apparatus for generating a policy set that can replace two policy sets.